7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe
Size

405KB
MD5

00f93566b51b48cda7cebf5fbd760130
SHA1

1aaa033c5cff4b23265b90464a96c852c03b26da
SHA256

7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827
SHA512

86ff15f67140cba204ac26e1176f55bdcd88726cf0b9df17824eff3f16f4e72418bb9f1d48c71cae2b90a114f3780f3f5fc07007b1dbf1c99d41de1e53e73cc2
SSDEEP

6144:5C7EnZXH6xdDJ/oHeN+uqljd3rKzwN8Jlljd3njPX9ZAk3fig:5CAE1Q4+XjpKXjtjP9Ztx

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe

Executes dropped EXE 28 IoCs

pid	Process
3432	Kdcijcke.exe
4668	Kgbefoji.exe
3880	Kmlnbi32.exe
932	Kpjjod32.exe
3932	Kcifkp32.exe
3384	Lpocjdld.exe
3132	Lgikfn32.exe
4540	Lcpllo32.exe
2292	Lnepih32.exe
3184	Lpcmec32.exe
5060	Lilanioo.exe
2752	Laciofpa.exe
412	Ljnnch32.exe
2692	Lknjmkdo.exe
4868	Mahbje32.exe
4808	Mnocof32.exe
976	Mcklgm32.exe
5084	Mdkhapfj.exe
2744	Mkepnjng.exe
220	Mkgmcjld.exe
2516	Mnfipekh.exe
4812	Nkjjij32.exe
4536	Njljefql.exe
1604	Nceonl32.exe
4356	Nkncdifl.exe
2124	Nbhkac32.exe
368	Nnolfdcn.exe
2488	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3956	2488	WerFault.exe	113

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 3432	1020	7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe	83
PID 1020 wrote to memory of 3432	1020	7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe	83
PID 1020 wrote to memory of 3432	1020	7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe	83
PID 3432 wrote to memory of 4668	3432	Kdcijcke.exe	84
PID 3432 wrote to memory of 4668	3432	Kdcijcke.exe	84
PID 3432 wrote to memory of 4668	3432	Kdcijcke.exe	84
PID 4668 wrote to memory of 3880	4668	Kgbefoji.exe	85
PID 4668 wrote to memory of 3880	4668	Kgbefoji.exe	85
PID 4668 wrote to memory of 3880	4668	Kgbefoji.exe	85
PID 3880 wrote to memory of 932	3880	Kmlnbi32.exe	86
PID 3880 wrote to memory of 932	3880	Kmlnbi32.exe	86
PID 3880 wrote to memory of 932	3880	Kmlnbi32.exe	86
PID 932 wrote to memory of 3932	932	Kpjjod32.exe	87
PID 932 wrote to memory of 3932	932	Kpjjod32.exe	87
PID 932 wrote to memory of 3932	932	Kpjjod32.exe	87
PID 3932 wrote to memory of 3384	3932	Kcifkp32.exe	88
PID 3932 wrote to memory of 3384	3932	Kcifkp32.exe	88
PID 3932 wrote to memory of 3384	3932	Kcifkp32.exe	88
PID 3384 wrote to memory of 3132	3384	Lpocjdld.exe	89
PID 3384 wrote to memory of 3132	3384	Lpocjdld.exe	89
PID 3384 wrote to memory of 3132	3384	Lpocjdld.exe	89
PID 3132 wrote to memory of 4540	3132	Lgikfn32.exe	90
PID 3132 wrote to memory of 4540	3132	Lgikfn32.exe	90
PID 3132 wrote to memory of 4540	3132	Lgikfn32.exe	90
PID 4540 wrote to memory of 2292	4540	Lcpllo32.exe	91
PID 4540 wrote to memory of 2292	4540	Lcpllo32.exe	91
PID 4540 wrote to memory of 2292	4540	Lcpllo32.exe	91
PID 2292 wrote to memory of 3184	2292	Lnepih32.exe	92
PID 2292 wrote to memory of 3184	2292	Lnepih32.exe	92
PID 2292 wrote to memory of 3184	2292	Lnepih32.exe	92
PID 3184 wrote to memory of 5060	3184	Lpcmec32.exe	93
PID 3184 wrote to memory of 5060	3184	Lpcmec32.exe	93
PID 3184 wrote to memory of 5060	3184	Lpcmec32.exe	93
PID 5060 wrote to memory of 2752	5060	Lilanioo.exe	94
PID 5060 wrote to memory of 2752	5060	Lilanioo.exe	94
PID 5060 wrote to memory of 2752	5060	Lilanioo.exe	94
PID 2752 wrote to memory of 412	2752	Laciofpa.exe	96
PID 2752 wrote to memory of 412	2752	Laciofpa.exe	96
PID 2752 wrote to memory of 412	2752	Laciofpa.exe	96
PID 412 wrote to memory of 2692	412	Ljnnch32.exe	97
PID 412 wrote to memory of 2692	412	Ljnnch32.exe	97
PID 412 wrote to memory of 2692	412	Ljnnch32.exe	97
PID 2692 wrote to memory of 4868	2692	Lknjmkdo.exe	98
PID 2692 wrote to memory of 4868	2692	Lknjmkdo.exe	98
PID 2692 wrote to memory of 4868	2692	Lknjmkdo.exe	98
PID 4868 wrote to memory of 4808	4868	Mahbje32.exe	100
PID 4868 wrote to memory of 4808	4868	Mahbje32.exe	100
PID 4868 wrote to memory of 4808	4868	Mahbje32.exe	100
PID 4808 wrote to memory of 976	4808	Mnocof32.exe	101
PID 4808 wrote to memory of 976	4808	Mnocof32.exe	101
PID 4808 wrote to memory of 976	4808	Mnocof32.exe	101
PID 976 wrote to memory of 5084	976	Mcklgm32.exe	102
PID 976 wrote to memory of 5084	976	Mcklgm32.exe	102
PID 976 wrote to memory of 5084	976	Mcklgm32.exe	102
PID 5084 wrote to memory of 2744	5084	Mdkhapfj.exe	104
PID 5084 wrote to memory of 2744	5084	Mdkhapfj.exe	104
PID 5084 wrote to memory of 2744	5084	Mdkhapfj.exe	104
PID 2744 wrote to memory of 220	2744	Mkepnjng.exe	105
PID 2744 wrote to memory of 220	2744	Mkepnjng.exe	105
PID 2744 wrote to memory of 220	2744	Mkepnjng.exe	105
PID 220 wrote to memory of 2516	220	Mkgmcjld.exe	106
PID 220 wrote to memory of 2516	220	Mkgmcjld.exe	106
PID 220 wrote to memory of 2516	220	Mkgmcjld.exe	106
PID 2516 wrote to memory of 4812	2516	Mnfipekh.exe	107

C:\Users\Admin\AppData\Local\Temp\7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe
"C:\Users\Admin\AppData\Local\Temp\7b48060d33bbc147f539efd426843e2043eec92a3462eaa77e25dfddeb8e0827.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SysWOW64\Kdcijcke.exe
  C:\Windows\system32\Kdcijcke.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\SysWOW64\Kgbefoji.exe
    C:\Windows\system32\Kgbefoji.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Windows\SysWOW64\Kmlnbi32.exe
      C:\Windows\system32\Kmlnbi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3880
    - - C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
      - C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        29⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 400
        30⤵
        Program crash
        
        PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2488 -ip 2488
1⤵
PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
405KB

MD5
51fa86618ac4e2a6b3db7fd0b122b217

SHA1
b369a77a560f8fff21ac2bd92ce51195748eb20c

SHA256
be0a3fe47041dcf0ac0a477d33290d007650e905c60409e08cd94f76bef728d6

SHA512
ee0435434395d0f997977973f312469f0682e896a47b42bba0a454f9fb2f3510993e3e65e7da797b50ee18bc153e21458b7038afc030b41f0aebc40d4e70bce3

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
405KB

MD5
d157cd637a4cdd5beee5e7747123844c

SHA1
3b05728d524c7c366f9b521570d690aaaf1a01d7

SHA256
93ee88e651601a3a3d2f4516ed6056f39459a8e43e4deec28ca4f14573db8a1a

SHA512
318ff09e044db78d78f48a85f78166c9706e3a9fa3548ba6f5131fe147ec56bf069f9c35e064bd7801be0b696d34d51392f7d2495d214b9fbf0ed679847a5ad9

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
405KB

MD5
64fccd7971d475a1401d6e4b8fa4536f

SHA1
3400d56fa394721ce4a9cb90f4d74cccf2871e25

SHA256
6f7510235f9986840707440798afabaefc0e715c2690e06bd7b45365d84fb2e8

SHA512
fe9306ba7c5145d17072fc803f7287cd26fbb5dc37f0f2125f91f819e17f6c5a05b60a33dfe5113335f7c88346cb9f50d464b23a6a1288c639936754f03b787c

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
405KB

MD5
72c5d663b303f439a17cc6b6ba3520c7

SHA1
0036ce014fed6c8f1c7107cac98b30467733c794

SHA256
6fa4155c7fd28d2f8dc8e7e278effcdf2efa5412cf363e3aa3ced7d399ef0cfb

SHA512
edf3eaacc423a615243af16abe9342a38842ecb7cea88706602d7bb2103347881fe721698684349cb14701a3dce5b7ab3db8ac6f8961e4569b2d089fe5a7bf58

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
405KB

MD5
d3e46b796c1603392dde5f2f5f4e30d1

SHA1
f04cf0aaefc8d7da3578499507500bf54a2c1516

SHA256
68c21c0cd3061908e015e72a192aa9aa26fc1f55873b10b6b9b6b9589d71f2b8

SHA512
c0a74f017e97f22aeba9cbb297d73175ba26f6636e16b9e397f0f75a9ea5021d85f624e36635fb4d9d8e3e565a1ba5078bfbe0043a08adf011cf380efcefd7b9

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
405KB

MD5
2efde9499c8a3b8c8b357e969d386edc

SHA1
84691d2b689d9a959e975e82a189a3c23ec5cff7

SHA256
b4974d330ab5c48703cfb9d42b5ea414bbfaab6cb9911766d4499f05f765d5f5

SHA512
919a3d29d01df3242e04d93568fe15fea9b535bb607e8aaebbf07a272ebde029bbae66538b0a74098e5e64a4bc362aa0e884143f48948f84b92e7a0cffb6e617

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
405KB

MD5
250517f08ebc66ab09724b34110e8106

SHA1
a49eefd39121c4a7330905a5b9feede7c00ed771

SHA256
f3e73057fdaf28b8a4bd6cea876a22af4749799371f43c910c5a88d7cfd08748

SHA512
1850463a6d5c20ed8a227811058d07a25f26d7a1865fc247b4c3d60f971e7bddb49be34d0e7e5d1cef92eb576c2149a22c8610c14c9a79e8e7595b8c28272bbb

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
405KB

MD5
ceddb3a3cb69ddd9e1aa63c3ddac4dcb

SHA1
5bdfbe2832c1b5db91d6f373f503adf990ff34a0

SHA256
280f098f318b3e47835a26322d6b4f5e679a0199336b2a84d63992f70d11b398

SHA512
6cfcaa4debe359b71d6a14ba33643777327d055f631e104439624e7af999ea28ddf7fdf153bd4116fd58f892d472a894a809d2ffd3013b737c0dad412248dde0

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
405KB

MD5
f2fe5db010f6a4cb21aa74717bff5112

SHA1
719626d17abcdd9006092ca58d32e1de8862018b

SHA256
22bbbd096ccf1b14821988d527eb91a615fc4fb86128cf9b890f382bc928eebf

SHA512
db7af42fc8317b0a855f6e7339cce386b2e0bfc6da78f509addba5367d3c677343c21bf31b58a1f20269e6ca115aea5ee5d90c1eff9c60bc2659d57d80ed9a23

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
405KB

MD5
70a0bb82a0a455f43bd49b84c039c4b5

SHA1
55b091b0fa15ea4804e598758f1d5e437f7d37b7

SHA256
1eb29a9c0cfaf60e3a097b5628f8c09503a33573dced4f5672e12d5550476070

SHA512
14ac466a9d0adef70b5a214b90e65719dc983dfa4f7f1f89d11431c8c828be367f45babacd1765cfb406c7dfca7a967de17143995a5b80505cc017b1a2d72010

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
405KB

MD5
aa604d654247649d80e82fc7f9ceaba1

SHA1
a4bacc6c61130d98a2ae647dd3410780b59bce35

SHA256
0c5ef8c6d27c78de63e01ce99003152f374874206ba793aae1ccb21651fb4017

SHA512
c2fc25ab0f3b534fb94fcf502bc683c927dfbbcbc493dd30329347deda136fc2ecccce69d403baa0443ca4f17184685e7c29af55d152e202f76e062ac9d4ea77

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
405KB

MD5
8c43706ed3a05fe0c110b2854dfbeed1

SHA1
0c1a3deac03ab8a2a832df17bf96a0ed08c0711b

SHA256
ae0d29c769d6c9ee7df5a619066091b2209e69c7a0cb7510bbad2dd6ac0ea24b

SHA512
dca1cc47ba34e7139bb3ccf56a1e4aebb57dbd96ab07b1562c36a15a84d2e13e8503488982b161b4cdb2fd0d86f4fa63e11ede1f3f70e64657349451cdd322bc

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
405KB

MD5
8128fc7c1b30e19beeef02f0eecb5ce5

SHA1
06b428fc45aba857907de290b10de892448b8213

SHA256
a700442d37273036307d94a93e7c4e4f025b59de09142f581da7dc5910f052fb

SHA512
19fdd8dfcba0eb6036399c4d21f9dca666ef4ffc89e979f8f34c2353c76fdc5ddd51ba1b401b8179342b224f1fcec721ba67dccd6cb2d3f012640ebd9441e7f3

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
405KB

MD5
f4983f70bc0117a56a38f611d41bf657

SHA1
82227dd6039a78747182dab4bfa432297d1ed2a8

SHA256
f47fcd7f9e166b6743f7885ae532a6062af6a736cc370d9d3de2eaff3afebb0a

SHA512
b0958ef4fb6b08164e4d03fa8f073a149d7b412cdf537cd1476d3139b92983701e9f793aae17dcb52591dd22a38254e9d052324b9d97ef14de4b0a79ff74f091

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
405KB

MD5
1081f227b90c85e084a6a59ede2b69ae

SHA1
2020cca398673e9dc35b06ba483b0f97f0a3d108

SHA256
874cc59d4ad80803bf2c806fa00d02e9d024db728926ae02be2b86bc6f9237ae

SHA512
0f9b464a06590e1d8fc6644580f9026ef875a12add742a860e50d3dc5effa9624e2ad70389c6351302be1560a7112c303ec1e5d54b3e28208cf9caff03e5af56

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
405KB

MD5
092ab62941841e5c96457142937581d3

SHA1
c5ea0a31a3420c1dd5a7a79abac59198e4bcab98

SHA256
d473a305ebf5da899138a6e06dc1ab2f3f57fb6a0b0393f6676c975ab888da69

SHA512
0f59a42b8cb699d4e6b211076cfa246283cc3b2449d2925e4f409b1d63fb6395b31f6056e3fd75c3bd50e6a861e1da2a4ae3b111b6eda337d0ccd7593bc26c41

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
405KB

MD5
5c5c5e1384ae868a15fa29f60aa2ce25

SHA1
937d00ba1c3ac6db49cce7654e120b6c5c5e3095

SHA256
fe9291a2b3b30e26ee7548b5ae8e56ca817d5831b986b1a275a3a876eac25ec2

SHA512
755d2c41a3939778838d0f3a3c166a938ea7effbc07c041b316c909aa547f53bfe9c0bb71fd4d7c8af76faa8ead7fdb70900b27daac5ff3049482d093891f37d

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
405KB

MD5
f2730f711e94136012b4347124159965

SHA1
c4823d4b7101340596f328272c401dc0eb359751

SHA256
4b4e15be6de3d044300616b90d39b1995250c5eda9689b6b81e87aa53dbc08bd

SHA512
d1502a2a4da3eedfd9b19a709b4a34413642462e8a95a348a6bc73ad318338568dc71222cf1217f5ffd255335c2fde8518bb661f15c8bb2fc744575280d6158f

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
405KB

MD5
02f3fd363f42b7145d63553aafae2374

SHA1
3cf84d026d6067d6a0c8cdc26abceb607a2325e9

SHA256
05c41c148c4c7cd7b7b1e320e8a1d5de085b801806eb4cd8ca2cc47a82bae9e6

SHA512
03f24610800c6b054383a83e8debf2731314b26436162b8f28b65b26da1cafdd170281efa2958760df6e5b06ebdf06584df4bc8ac8ebbbd0b918ac418da7be36

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
405KB

MD5
c724f987867856b1f6cc7c51b435ddf1

SHA1
2e0cdc689fe9708c3082287561ce2ca1a3eef1f8

SHA256
61d13c0ab3b755c3753aeaac3be6255378bcc1f6b0cde195a37f476774512d30

SHA512
f525e9be2b6b877e8610fd2c532625ec9bc7a8c4c29fe10f58fd43a5ac0142391eefb14ff18fc1fd04a549fa775d67cbedf3a8b025cadaad66219c116ac806b2

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
405KB

MD5
676de90632403cab41b01c98e2a98370

SHA1
15d4bc670f362a4e9eede90c5f0bd08208515b19

SHA256
5165bcfb1dc05c38c7098235fbab7924ae5022bd21af8b3244380477cdea1512

SHA512
1c437f8a72053c75e691fe19abaa6a0380ece5c32341ef00395352966a087746c0d8208710d4c167ce019444d09594f1ce2d45562cc83c6100e9811f68373b0c

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
405KB

MD5
29eedacbe83c0e9cb40cc4c12ff57c2f

SHA1
66fab771083b55c66325d15a1595738947448915

SHA256
b85a52cf625aa03fa980a1ef25840cbdf1f71369e3ac731b65502dde05818013

SHA512
02aff0d8bda6136f4fa704b79a73ea5b28cf7939f5de6cde63cf7d63386403f40614cf1d857547ba7c78814abbb7a2e3d9ae43b1b99dfec922c751fbd14d9ae5

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
405KB

MD5
be36ec32b9281928d63331cccf58ae3f

SHA1
008afc0f1e5f39c0163acdd8b469e5a26ee61c9f

SHA256
5144b88b464b5d657540af053e3b40610a807666f0b0cc0886bc6286b24a3375

SHA512
720748193502cfa0d8f6a349a5ef26ee12958b34173edeea8f34d0cbe1fa4f18b73421d9109c261c0131399552f36a743c11326778cd3de904e5eb877304396c

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
405KB

MD5
59eb183c22eb2821d511f941b550d8cd

SHA1
4276b90370901917dec24657059ad690de35c3f4

SHA256
7c01eecc8fab8672fab5bd3b4ef6b3cad92524bb2c5a531045153fa071567783

SHA512
bf10cad3498b8c5ccc2c470485974bf9e7f327640f5fc0996d482ddcbb2b7b46bc5d4b6d0fc982bb12dff6f9ce1a533acdbc1f1a777903d6c830ca6307beaa26

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
405KB

MD5
f6b0d2526d199b448d2257bd7737e294

SHA1
abd345c5285cbf72811333ce428c463758ba1636

SHA256
f8a6a4a3c35e5552d05572ede5cc02cf7c5a0fc3cd054ba697faa84498b5ef84

SHA512
93750e00c96e42f631dc5f53680bcf1cdcb24743d6e5eb7cbb4365ff817e8ac45663034f0a3608ba4667d6a0755595c841a7ba3bccba44153fd42756f090e42f

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
405KB

MD5
ad982f0e00f906e3ade15db84b66e105

SHA1
329558eab60dcd76b895ea75224acfae6ef012aa

SHA256
4b20f4074600ba20059bcf1efa4b375cb17d9b3f4dd44d204def0bb4674c156a

SHA512
4dc31194d4605758bf9769b722e62dc8a4f5321bf4f4e3def1923e050272950f1e7adacc1bc7f9d0f43ba2972e98e0eb45d5d3d13efdbdd17474fd0c8551b974

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
405KB

MD5
3671e685bccbe705e0850769fa4a2183

SHA1
328c8d67605e42818a91554c0ae7d3a5b834910d

SHA256
1f8ee90add3affe9da0c6c036acde84097de6435e4cbdbe41944e783b0f6144b

SHA512
b8e53cc359f2e348fffad4e0f1b8d33b1b71a02c66cc7550a1f09228be36790d1808958e329e1e2128c0ce44fa5bc7719c6939bc6f5014839ecfcb5c8b93b41b

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
405KB

MD5
c79980abd731b93ec2fda51d0f639d56

SHA1
8011c19e4010a58943b443d84340e27193cc0c63

SHA256
935c8756f9c53b95c53d95e5f03ece49ef9c32cd48db8897e9e131e60883b1e8

SHA512
eab2be6c694e17af31118067a05ad66d3701b7d930429ef6dc84c24a01588ede24acfd94a1c078456bfaf5789705faa2ea43cc06c675f3ee19426f9934f29c1e

Download Submit
memory/220-246-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/220-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/368-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/368-229-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/412-106-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/412-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/932-37-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/976-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/976-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-77-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1604-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-203-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-221-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2292-78-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2488-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2488-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2516-245-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2516-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-202-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-158-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-247-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2752-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3132-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3132-141-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3184-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3184-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3384-131-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3384-51-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3432-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3432-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3880-29-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-122-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4356-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4356-243-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4536-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4540-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4540-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4668-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4808-220-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4808-132-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4812-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4868-123-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4868-211-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5060-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5060-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5084-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5084-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads